Gate counterparty splices behind a confirmation depth

On 0-conf channels splice_locked is sent the moment tx_signatures are
exchanged because the channel's minimum_depth is 0. That's fine when we
initiated the splice since we built the funding output, but on a
counterparty-initiated splice it means we lock in a funding output we
didn't construct and the counterparty can double-spend the splice
transaction out from under us.

Bumps rust-lightning to cb5bdef1, which adds a
ChannelHandshakeConfig::splice_minimum_depth override that only kicks
in when is_initiator is false, and surfaces it on Config as
inbound_splice_minimum_depth.

Default is Some(6) so the library is safe out of the box. An LSP may
want to lower this for better UX with a small safety trade-off.

MDK-798

Author: amackillop

Cargo.toml

@@ -42,17 +42,17 @@ default = []
 # lightning-macros = { version = "0.2.0" }
 
 # Branch: https://github.com/moneydevkit/rust-lightning/commits/lsp-0.2.0/
-lightning = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c", features = ["std"] }
-lightning-types = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c" }
-lightning-invoice = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c", features = ["std"] }
-lightning-net-tokio = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c" }
-lightning-persister = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c", features = ["tokio"] }
-lightning-background-processor = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c" }
-lightning-rapid-gossip-sync = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c" }
-lightning-block-sync = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c", features = ["rest-client", "rpc-client", "tokio"] }
-lightning-transaction-sync = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c", features = ["esplora-async-https", "time", "electrum-rustls-ring"] }
-lightning-liquidity = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c", features = ["std"] }
-lightning-macros = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c" }
+lightning = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b", features = ["std"] }
+lightning-types = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b" }
+lightning-invoice = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b", features = ["std"] }
+lightning-net-tokio = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b" }
+lightning-persister = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b", features = ["tokio"] }
+lightning-background-processor = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b" }
+lightning-rapid-gossip-sync = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b" }
+lightning-block-sync = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b", features = ["rest-client", "rpc-client", "tokio"] }
+lightning-transaction-sync = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b", features = ["esplora-async-https", "time", "electrum-rustls-ring"] }
+lightning-liquidity = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b", features = ["std"] }
+lightning-macros = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b" }
 
 #lightning = { path = "../rust-lightning/lightning", features = ["std"] }
 #lightning-types = { path = "../rust-lightning/lightning-types" }
@@ -101,7 +101,7 @@ winapi = { version = "0.3", features = ["winbase"] }
 [dev-dependencies]
 # lightning = { version = "0.2.0", features = ["std", "_test_utils"] }
 # Branch: https://github.com/moneydevkit/rust-lightning/commits/lsp-0.2.0/
-lightning = { git = "https://github.com/moneydevkit/rust-lightning", rev = "a10b923620e58ec6d25286a10406aaaf58a1c35c", features = ["std", "_test_utils"] }
+lightning = { git = "https://github.com/moneydevkit/rust-lightning", rev = "cb5bdef1664245a80a4981da12ce862f15d8765b", features = ["std", "_test_utils"] }
 #lightning = { path = "../rust-lightning/lightning", features = ["std", "_test_utils"] }
 proptest = "1.0.0"
 regex = "1.5.6"

src/config.rs

@@ -120,6 +120,7 @@ pub(crate) const EXTERNAL_PATHFINDING_SCORES_SYNC_TIMEOUT_SECS: u64 = 5;
 /// | `log_level`                            | Debug              |
 /// | `anchor_channels_config`               | Some(..)           |
 /// | `route_parameters`                   | None               |
+/// | `inbound_splice_minimum_depth`         | Some(6)            |
 ///
 /// See [`AnchorChannelsConfig`] and [`RouteParametersConfig`] for more information regarding their
 /// respective default values.
@@ -184,6 +185,21 @@ pub struct Config {
 	/// **Note:** If unset, default parameters will be used, and you will be able to override the
 	/// parameters on a per-payment basis in the corresponding method calls.
 	pub route_parameters: Option<RouteParametersConfig>,
+	/// The minimum confirmation depth required before we send `splice_locked` for splices
+	/// initiated by our counterparty.
+	///
+	/// On 0-conf channels, `splice_locked` would otherwise be sent immediately after
+	/// `tx_signatures` are exchanged. That is safe for self-initiated splices (we built the
+	/// funding output) but unsafe for counterparty-initiated splices: the counterparty could
+	/// double-spend the splice transaction after we've already locked it in. This setting gates
+	/// counterparty-initiated splices behind a configurable confirmation depth.
+	///
+	/// Has no effect on self-initiated splices or on non-0-conf channels (which already enforce
+	/// their own `minimum_depth`).
+	///
+	/// If set to `None`, counterparty-initiated splices inherit the channel's `minimum_depth`,
+	/// which is `0` for 0-conf channels.
+	pub inbound_splice_minimum_depth: Option<u32>,
 }
 
 impl Default for Config {
@@ -198,6 +214,7 @@ impl Default for Config {
 			anchor_channels_config: Some(AnchorChannelsConfig::default()),
 			route_parameters: None,
 			node_alias: None,
+			inbound_splice_minimum_depth: Some(6),
 		}
 	}
 }
@@ -325,6 +342,7 @@ pub(crate) fn default_user_config(config: &Config) -> UserConfig {
 	user_config.manually_accept_inbound_channels = true;
 	user_config.channel_handshake_config.negotiate_anchors_zero_fee_htlc_tx =
 		config.anchor_channels_config.is_some();
+	user_config.channel_handshake_config.splice_minimum_depth = config.inbound_splice_minimum_depth;
 	user_config.reject_inbound_splices = false;
 
 	if may_announce_channel(config).is_err() {